CN101501670B - Early authentication in cable modem initialization - Google Patents
Early authentication in cable modem initialization Download PDFInfo
- Publication number
- CN101501670B CN101501670B CN2006800554928A CN200680055492A CN101501670B CN 101501670 B CN101501670 B CN 101501670B CN 2006800554928 A CN2006800554928 A CN 2006800554928A CN 200680055492 A CN200680055492 A CN 200680055492A CN 101501670 B CN101501670 B CN 101501670B
- Authority
- CN
- China
- Prior art keywords
- cable modem
- described cable
- termination system
- message
- modem termination
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 claims abstract description 37
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 description 22
- 238000012937 correction Methods 0.000 description 11
- 230000009471 action Effects 0.000 description 7
- 239000000203 mixture Substances 0.000 description 5
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000011144 upstream manufacturing Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000009183 running Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N7/00—Television systems
- H04N7/10—Adaptations for transmission by electrical cable
- H04N7/102—Circuits therefor, e.g. noise reducers, equalisers, amplifiers
- H04N7/104—Switchers or splitters
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2129—Authenticate client device independently of the user
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Abstract
A system that eliminates some of the security vulnerabilities in the prior art systems by using a new sequence of steps to perform initialization of the cable modem: Instead of performing authentication after the cable modem has been registered, the cable modem authentication step is performed immediately after the cable modem completes ranging. Thus an early authentication method and system are provided. The control of authentication is shifted from the cable modem to the CMTS. Instead of the CMTS relying on a Registration Request message (REG-REQ) to determine whether a cable modem must perform authentication (that is to determine if BPI+ is enabled) the CMTS configuration is what determines whether a cable modem must perform authentication.
Description
Technical field
The present invention relates to wide-band communication system, and relate more specifically to utilize the wide-band communication system of cable modem (cable modem).
Background technology
DOCSIS (cable database service interface standard) is the international standard that definition is used for the interface of the high speed data transfer on the cable network.Wherein, DOCSIS has stipulated that cable modem is initialised and authentic mode.
Initialization and verification process according to DOCISv2 relate to several steps, and described step comprises:
A)
Downstream search, during downstream search, search a signal and obtain upstream channel descriptor (UCD).UCD comprises cable modem needs is used for the information that communicates with Cable Modem Termination System (CMTS), for example, and upstream frequencies, modulation type and channel width.
B)
Distance correction(ranging), during distance correction, modulator-demodular unit is adjusted its transmitted power, frequency and timing as required, with the distance between Compensation Modulation detuner and the CMTS.
C)
DHCP(DHCP), therebetween, modulator-demodular unit obtains the extraneous information about this network, obtains the IP address and obtains the title of configuration file.
D)
ToD(time) provides timestamp to cable modem (this step is optional).
E)
TFTP(TFTP), is loaded in those configuration files that provide title during the dhcp process therebetween under the cable modem.
F)
Registration, therebetween, cable modem arranges inventory with registration request together with the configuration of modulator-demodular unit and sends to CMTS.If CMTS approves the setting of this modulator-demodular unit, then cable modem will respond with the registration of indicating successfully registration.
G)
BPI+(baseline privacy foundation structure) process, therebetween, cable modem is certified.After success identity, be used for the authentication of Frame subsequently and the key of encryption and be distributed to this cable modem.And the expiration time of described key is set up.The BPI+ process is used for carrying out cable modem authentication after registration.BPI+ crosses the range request cable modem and presents X.509 certificate, during initialization oneself is authenticated.If cable modem fails authentication, then after CMTS will refuse service to cable modem, and prevent that this cable modem from reaching the standard grade.
Should pay special attention to, the BPI+ process is last step in this cable modem initialization process.
Arranging in the cable modem configuration file determines whether specific cable modem is configured to carry out BPI+ process and authentication.If cable modem is notified CMTS in registration information (REG-REQ): this wire cable modulator-demodular unit enables (enable) BPI+, then CMTS will only carry out authentication.
REG-REQ message is to use DHCP (DHCP) to carry out address assignment and the DOCSIS MAC layer that sends to CMTS by this cable modem after this modulator-demodular unit uses TFTP (TFTP) download configuration file divides into groups at cable modem.
The content of REG-REQ message comprises from the data that are stored in the configuration file in the modulator-demodular unit and from the data of this configuration file has stipulated the specific service that this cable modem is authorized to carry out.These data are by the secret code signing, only are known to tftp server and the CMTS.These data comprise the indication that whether must use BPI+ to authenticate to cable modem.Should be noted that modulator-demodular unit must use the indication of BPI+ to be sent via configuration file, and this indication can be by compromise (compromised).
CMTS is used for determining that the information for whether specific cable modem BPI+ authentication can occur is stored in the configuration file of this specific modulator-demodular unit.Yet the robber may handle these cable modem configuration file and remove the BPI+ requirement.If made such change, then, even cable service operations person provides the configuration file that requires this cable modem to carry out the BPI+ authentication to cable modem, cable modem authentication still may be left in the basket.In addition, before the BPI+ authentication, all message between cable modem and the CMTS are not protected.
Description of drawings
Fig. 1 is the overall system view of embodiment described herein.
Fig. 2 is the process flow diagram that the key step in the operation of embodiment described herein is shown.
Fig. 3 is the detail flowchart that the operation of embodiment is shown.
Fig. 4 illustrates the embodiment of the system shown in Fig. 1.
Fig. 5 illustrates the embodiment of the cable modem shown in Fig. 1.
Embodiment
Several preferred embodiment of the present invention will be described with reference to the drawings.Various other embodiment of the present invention also is possible with feasible.Can not be appreciated that with different form enforcement the present invention and the present invention and be limited to embodiment described herein.
The operation that illustrates the preferred embodiments of the present invention and this embodiment listed above.Among the figure, the size of frame is not intended to represent the size of various physical assemblies.Same element occurs in several figure, all these elements of figure mark that same label is used for occurring at this element.
Only illustrate and described to those skilled in the art's reception and registration those parts for the needed various unit of understanding of these embodiment.Unshowned those parts and element are traditional in the art with known.
In the following description, set forth various specific details about these embodiment.Yet, be appreciated that except the mode of utilizing specific detail shown here, can also otherwise implement the present invention.And, do not illustrate and describe various known circuit, structure and technology so that can suitably extend the disclosure at this.
Fig. 1 is the entire block diagram of first preferred embodiment of the invention.As shown in Figure 1, a plurality of computing machines that are marked as A, B, C and D are connected to cable modem 21,22 and 23 by LAN (Local Area Network) (LAN) 10,11 and 12. Cable modem 21,22 and 23 is connected to Cable Modem Termination System (CMTS) 40 via concentric cable 31 and 32 again.CMTS 40 is connected to again internet 50.
Should be noted that four computing machines shown in Fig. 1 and three cable modems are representational and this system can comprise nearly any amount of computing machine and the cable modem of the capacity limits of traditional type.Shall also be noted that a plurality of computing machines can be connected to single cable modem, such as the situation of modulator-demodular unit 21.Equally, a plurality of modulator-demodular units can share to the single coaxial connection of CMTS, such as the situation of cable 31.Therefore, the configuration of Fig. 1 only is intended to represent the system that has a plurality of end units and be connected to a plurality of cable modems of CMTS.
The prior art initialization sequence of cable modem comprises seven steps.Namely, the prior art initialization procedure comprises (1) downstream search, (2) distance correction, (3) DHCP-DHCP, (4) the ToD-time, (5) TFTP-TFTP, (6) registration, and (7) BPI+ (baseline privacy foundation structure).Should be noted that it is last step that has now in the process that the BPI+ of security process is provided.And, in the prior art process, be to control the BPI+ process by the configuration file in the cable modem.
In the exemplary embodiment described herein, as described below, CMTS unit 40 control cable modem authentication are carried out.This has effectively eliminated some people's control wire cable modem configuration file and thereby so that this modulator-demodular unit is ignored the possibility of authentication.
And, in the exemplary embodiment described herein, cable modem set up via DHCP layer 3 connect before and be right after after this cable modem finishes distance correction, authentication is performed.And, not that the REG-REQ of CMTS dependence cable modem determines whether cable modem must carry out authentication (that is, determining whether BPI+ is enabled), but determining cable modem, CMTS oneself whether must carry out authentication.That is be that the CMTS configuration determines whether modulator-demodular unit must carry out authentication.
Should be noted that in the exemplary embodiment described herein, can prevent that cable modem that palm off or unwarranted from obtaining the access to this network, and cable modem configuration file can not be handled and ignored authentication.
Fig. 2 is the general flow figure that the initialization sequence that is utilized by system described herein is shown.At first, shown in piece 210, between cable modem and CMTS 40, set up link layer and connect.Set up link layer by downstream search and distance correction.Downstream search is used for searching the signal on the line, and upstream channel descriptor (UCD) is acquired.Distance correction is adjusted transmitted power, frequency and the timing of modulator-demodular unit as required, with the distance between Compensation Modulation detuner and the CMTS.
Then, shown in piece 220, CMTS determines whether to have enabled early authentication at this modulator-demodular unit.This is to be determined by the configuration of CMTS.
Shown in piece 221, if on this modulator-demodular unit, do not enable early authentication, then take a certain special action.For example, can come the initialization modulator-demodular unit with the prior art process, perhaps replacedly, can produce rub-out signal and stop this process.
If early authentication is activated, then is shown in such as piece 222 and carries out authentication on this modulator-demodular unit.This verification process requires this modulator-demodular unit to provide X.509 certificate with certified to CMTS.If this authentification failure then shown in piece 224, is taked special action.For example, if authentification failure, then CMTS can be configured to abandon all message except the authentication message that receives from modulator-demodular unit.Perhaps, CMTS can be configured to special " walled garden " of all modulator-demodular unit offer message guiding, should " walled garden " can by after will take the human operator may monitoring of any suitable action.Perhaps, Strategy Auto is arranged to the specific action on the cable modem.
If authentication success then shown in piece 225, is set up the Internet protocol connectivity in a conventional manner.Set up the Internet protocol connectivity with download configuration file by traditional DHCP (DHCP), time (ToD) stamp and use TFTP (TFTP).
Then, shown in piece 226, register in a conventional manner this modulator-demodular unit.That is, this modulator-demodular unit sends to CMTS with the configuration setting of this modulator-demodular unit, and if the CMTS approval, then CMTS will respond, and indicating this request is successfully.At last, shown in piece 227, baseline privacy is established for this modulator-demodular unit.If this initialization procedure success, then shown in piece 22, this system begins to operate.
Fig. 3 is the more detailed process flow diagram of the operation of the system shown in Fig. 1.Shown in piece 302, this process scans to search signal and begins by carrying out the downstream.Then, shown in piece 308, obtain upstream parameters.Then, shown in piece 310 and 340, carry out distance correction and automatically adjustment.Shown in piece 314, carry out alternatively the device class sign.
Then, shown in piece 316, CMTS inquiry modulator-demodular unit is to determine whether to have enabled early authentication.Shown in piece 332, if do not enable early authentication, then take a certain special action.For example, cable modem initialization can be carried out traditional initialization procedure.Perhaps, this system can be configured to stop this process and warning human operator may at this time point.
If enabled early authentication, then this cable modem will carry out early authentication in piece 318 and 320.After the authentication, identify main service flow with security association sign (SAID) in early days.This provides security for data stream.By integrity checking and all message subsequently of encipherment protection, described message comprises DHCP grouping, ToD grouping and TFTP grouping.
After in piece 320, finishing early authentication, in piece 322 and 324, set up layer 3 Internet protocol (IP) connectivity, and cable modem during setting up, is set up the time regularly requirement in piece 326 and 328.Then, shown in piece 330, the transmission of operating parameter occurs.
Setting up the IP connectivity and after the time, shown in piece 332 and 334, cable modem is registered to CMTS.
After registration was finished, shown in piece 336, modulator-demodular unit determined whether to have enabled baseline privacy.If do not enable baseline privacy, then shown in piece 333, take special action.Suspend integrity checking and the encryption of packet.And, can stop this process and notification operator.
If enabled baseline privacy in this modulator-demodular unit, then initialization is used for the baseline privacy of the SAID except main SAID in piece 338.Finish baseline privacy initialization in piece 340 after, shown in piece 342, cable modem is exercisable.
Because cable modem has been carried out early authentication shown in piece 318, so, include only encryption for the use traffic encryption key (TEK) of the other SAID except main SAID by the baseline privacy initialization of piece 338 indication.In addition, the action by piece 338 indications can comprise the security association that flows for any assistant service.
Should be noted that the early authentication at step 318 place, allow in the process steps of subsequently DHCP, TFTP etc. shown in piece 222 to 234, to reuse authentication information.
Fig. 4 illustrates embodiment Cable Modem Termination System (CMTS) 40.CMTS is configured and is programmed for the early authentication process shown in execution graph 2 and Fig. 3.CMTS 40 comprises the processor 420 with network interface 410 couplings.Network interface 410 is configured to via Internet protocol (IP) grouping such as the network sending and receiving of Global Internet.For example, network interface 410 can be gigabit Ethernet, and perhaps replacedly, it can be the legacy network interface of any type, such as the interface that is used for asynchronous transfer mode (ATM), Synchronous Optical Network (SONET) etc.
Processor 420 also is coupled to send and receive cable modem 21,22 and 23 data with data link interface 430.Data link interface 430 can be that coaxial connection or Hybrid Fiber Coax (HFC) connect.Network interface 410 is connected with data link interface to be used separately as via network connection 450 or link layer and is connected 460 ports that communicate.Processor 420 also is coupled to storer 440.The program 440B of the various normal runnings that storer 440 store configuration data 440A, control CMTS carry out and processor 420 operations are with authentication or the encipheror 440C of the initialization procedure shown in execution graph 2 or Fig. 3.Configuration data 440A regulation: if enable early authentication for this cable modem, then carry out early authentication, the IP connectivity of foundation and cable modem, and register this cable modem.
Fig. 5 illustrates cable modem 21,22 and 23 embodiment.All modulator-demodular units are identical; Therefore, only have in these modulator-demodular units, that is, modulator-demodular unit 21, shown in Figure 5 and describe at this.Cable modem 21 comprises processor 520, data link interface 510 and the storer 540 that is coupled to LAN (Local Area Network) (LAN) interface 530.Data link interface 510 links to each other cable modem 21 via coaxial network or HFC network 13 with CMTS 40.
In some embodiments of the invention, the operator may wish to have the exception of early authentication.For example, if the user has problem when their cable modem service of initialization, they may not wish skip authentication and encryption and enter simply online.Therefore, in certain embodiments, provide such option, by this option, early authentication can optionally be skipped to accelerate the initialization of any cable modem, and the process that perhaps connects a cable modem at a special cable modem manages.In other embodiments, provide such option, by this option, early authentication can optionally be skipped with assistant adjustment, diagnosis and fault handling.These options are provided by the setting in the configuration file among the CMTS.In certain embodiments, when when cable modem enables early authentication, this cable modem must be carried out authentication before initialization can surpass the authenticating step 318 shown in Fig. 3.For example, in some replaceability embodiment, CMTS 40 be configured to abandon except from all message the authentication message of cable modem until cable modem by success identity.Perhaps, CMTS 40 can be configured to cable modem offer message (DHCP, ToD, TFTP) guiding protected field to control supply according to service operations person's strategy.In some replaceability embodiment, when forbidding early authentication at CMTS 40 places, cable modem can carry out initialization in a conventional manner.
Some embodiment can isolate with DHCP the cable modem of having identified of special category.For example, CMTS 40 can notify Dynamic Host Configuration Protocol server or provisioning server: CMTS 40 to enable early authentication; Perhaps CMTS 40 can notify Dynamic Host Configuration Protocol server: specific cable modem is not also carried out early authentication, and it should be isolated.
Some embodiment utilizes special DHCP relay option or sub-option (for example, the Option 82 sub-options among the DHCPv4, the perhaps option in the relay message among the DHCPv6) to isolate the cable modem of special category.Acquiescently, CMTS 40 enables early authentication as mentioned above.Early authentication can be under an embargo, but this can cause and loses network protection.Therefore, when CMTS 40 was in the DHCP isolation configuration, early authentication still was enabled.In such embodiments, be not dropped from the DHCP grouping of the cable modem of early authentication failure but can carry out mark and be relayed to the rear end Dynamic Host Configuration Protocol server with the special sub-option of DHCP Relay Agent Information (DHCPv4 or DHCPv6).Then, Dynamic Host Configuration Protocol server and provisioning server can be identified such DHCPv4 and the sub-option of DHCPv6 Relay Agent Information and process the cable modem of authentification failure according to back-end server configuration and strategy.
In CMTS, DHCP isolation configuration, if cable modem attempt before carrying out early authentication, to obtain the IPv4 address, then after CMTS can come with special DHCP Option 82 sub-options the cable modem of label specific types.The DHCPv4 grouping that the CMTS that operates as dhcp relay agent inserts special DHCP Option 82 sub-options according to the type of cable modem such cable modem.Equally, if cable modem attempts to obtain the IPv6 address, then CMTS can come with the special sub-option of DHCPv6 Vendor SpecificInformation Option the cable modem of label specific types.CMTS can be as dhcp relay agent and according to the cable modem of specific type and the DHCPv6 grouping of the special sub-option of DHCPv6Vendor Specific Information Option being inserted cable modem.
In certain embodiments, CMTS 40 is configured to so that when early authentication is enabled, and before himself, CMTS 40 is sent to the message of CMTS40 with the ad hoc fashion response in cable modem authentication.For example, CMTS 40 can abandon all message from cable modem except authentication message.This prevents that cable modem from finishing any affairs before it is certified.Perhaps, CMTS 40 can be programmed to message (DHCP, TFTP, ToD, all non-authentication message etc.) is forwarded to the protection memory storage and provides limited service until authentication is finished to cable modem.
In certain embodiments, if the failure of cable modem early authentication, then this cable modem can send to CMTS 40 with the early authentication message that comprises certificate.If cable modem credentials is in the failure of CMTS 40 places, then CMTS 40 generally can abandon all groupings subsequently.CMTS 40 can be in insertion information in the DHCP grouping with notice provisioning server (rear end): this subject cable modem is authentification failure.Then, this provisioning server will tell the subscriber they the webpage of authentification failure send to cable modem together with the contact information that is used for the attendant.
Some embodiment provides a kind of upgradeable method, and the method is when safeguarding that above-mentioned this early authentication is with protecting network, and (bonding) service of will binding gives the blend cable modem.For example, some supports channel bonding and asks the binding service with special distance correction request message that still, such modulator-demodular unit may not carry out early authentication based on the cable modem of DOCSIS 2.0.Such cable modem can be called " cable modem of mixing ".Can not carry out the cable modem of the mixing of early authentication and after distance correction, not carry out early authentication.On the contrary, such blend cable modem starts the DHCP exchange after distance correction is finished.This is by finishing to CMTS 40 transmission DHCPDISCOVER (DHCPv4) or Solicit (CHCPv6) message after distance correction.Replace and to abandon the DHCP grouping, CMTS 40 can check Option 60 in the client DHCPv4 message and the Option 16 in the client DHCPv6 message, carries out initialization to allow the blend cable modem.
In the above example that provides, if the Option of DHCPv4 grouping 60 value indication DOCSIS 2.0 or lower (" docsis 2.0 " etc.), then CMTS 40 does not abandon this grouping but is relayed to the rear end Dynamic Host Configuration Protocol server.Before the DHCP grouping of relaying from mixed C M, intron option y among the DHCP Option 82 Vendor-Specific Information Sub-option that CMTS 40 can identify at the enterprise number by dealer.If the Option of DHCPv6 message 16 value indication DOCSIS 2.0 or lower (" docsis 2.0 " etc.), then CMTS 40 is in relay message, in DHCPv6 message by intron option yy among the VendorSpecific Information Option of the ID of enterprise of dealer sign, and with this packet relay to the rear end Dynamic Host Configuration Protocol server.
Rear end Dynamic Host Configuration Protocol server and provisioning server will be identified as the blend cable modem with such cable modem by any one existence of identifying in the following content: the sub-option y among (1) DHCPv4 Option 82 Vendor-Specific Information Sub-option, the perhaps sub-option yy among the DHCPv6 Vendor Identifying Vendor Specific Option in (2) relay message.Then, provisioning server will comprise the configuration file of binding parameter according to operator's strategy and offer the blend cable modem.
In the situation that does not break away from spirit of the present invention or essential characteristics, can implement the present invention with other particular form.It is illustrative and nonrestrictive that described embodiment should be considered in all fields.Therefore, by claims but not above stated specification is indicated scope of the present invention.Meaning, all changes within the spirit and scope, modifications and changes at the equivalent of described claim all comprise within the scope of the appended claims.
Claims (14)
1. method that is used for the early authentication of cable modem initialization comprises:
Connect with the link layer of setting up between cable modem and the described Cable Modem Termination System from Cable Modem Termination System transmission message and by described Cable Modem Termination System receipt message;
Send message and authenticate described cable modem by described Cable Modem Termination System receipt message to flow at main services from described Cable Modem Termination System;
From described Cable Modem Termination System send message and by described Cable Modem Termination System receipt message after described cable modem is certified, to set up the IP connectivity between described cable modem and the described Cable Modem Termination System; And
From described Cable Modem Termination System send message and by described Cable Modem Termination System receipt message after described IP connectivity has been set up, to register described cable modem to described Cable Modem Termination System.
2. method according to claim 1 comprises that also the configuration file of inquiring in the described Cable Modem Termination System is to determine the early authentication before whether having enabled registration on the described cable modem.
3. method according to claim 1 comprises:
By sending from described Cable Modem Termination System or determining early authentication before whether having enabled registration on the described cable modem by the message that described Cable Modem Termination System receives, if and the registration before early authentication be not enabled, then abandon except from all message the authentication message of described cable modem until described cable modem by success identity.
4. method according to claim 1; wherein; if the early authentication failure of described cable modem before registration, then described method also comprises the cable modem offer message that will be received by the described Cable Modem Termination System shielded storage area that leads.
5. method according to claim 1, comprise according to sending from described Cable Modem Termination System and determining early authentication before whether having enabled registration on the described cable modem by the message that described Cable Modem Termination System receives, if and the registration before early authentication be not enabled, then after described modulator-demodular unit is registered, authenticate described modulator-demodular unit.
6. device that is used for the early authentication of cable modem initialization comprises:
For the device that sends message and connected with the link layer of setting up between cable modem and the described Cable Modem Termination System by described Cable Modem Termination System receipt message from Cable Modem Termination System;
Be used for from Cable Modem Termination System send message and by described Cable Modem Termination System receipt message with the device at the described cable modem of main services stream authentication;
Be used for from Cable Modem Termination System send message and by described Cable Modem Termination System receipt message after described cable modem is certified, to set up the internuncial device of IP between described cable modem and the described Cable Modem Termination System; With
Be used for from Cable Modem Termination System send message and by described Cable Modem Termination System receipt message after described IP connectivity has been set up, to register the device of described cable modem to described Cable Modem Termination System.
7. device according to claim 6 also comprises for the configuration file of inquiring described Cable Modem Termination System to determine the device of the early authentication before whether having enabled registration on the described cable modem.
8. device according to claim 6, comprise for by sending from described Cable Modem Termination System or determine early authentication before whether having enabled registration on the described cable modem by the message that described Cable Modem Termination System receives, and if the early authentication before the registration be not enabled then abandon except from all message the authentication message of described cable modem until described cable modem by the device of success identity.
9. device according to claim 6, if comprise can operate in the described Cable Modem Termination System for described cable modem before registration the early authentication failure the device of the shielded storage area that will be led by the cable modem offer message that described Cable Modem Termination System receives.
10. device according to claim 6 comprises the device that is used for providing DHCP (DHCP) offer message, time (ToD) offer message and TFTP (TFTP) offer message in the described Cable Modem Termination System.
11. device according to claim 6 also comprises the device be used to the traffic encryption keys (tek) that is provided at least one assistant service stream is encrypted.
12. a method that supplies cable modem to be used for the early authentication of cable modem initialization comprises:
Receive from the message of described Cable Modem Termination System before the registration of described cable modem, to carry out authentication to described cable modem at main services stream via being connected with the link layer of Cable Modem Termination System;
Set up the IP connectivity with described Cable Modem Termination System; With
After finishing, described authentication registers described modulator-demodular unit to described Cable Modem Termination System.
13. cable modem according to claim 12 also comprises and utilizes encryption key to come at least one assistant service stream is encrypted.
14. cable modem according to claim 12, wherein, described cable modem comprises configuration file.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US11/460,570 US8255682B2 (en) | 2006-07-27 | 2006-07-27 | Early authentication in cable modem initialization |
| US11/460,570 | 2006-07-27 | ||
| PCT/US2006/060233 WO2008013565A1 (en) | 2006-07-27 | 2006-10-25 | Early authentication in cable modem initialization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101501670A CN101501670A (en) | 2009-08-05 |
| CN101501670B true CN101501670B (en) | 2013-10-23 |
Family
ID=38981767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006800554928A Active CN101501670B (en) | 2006-07-27 | 2006-10-25 | Early authentication in cable modem initialization |
Country Status (4)
| Country | Link |
|---|---|
| US (1) | US8255682B2 (en) |
| EP (1) | EP2052327B1 (en) |
| CN (1) | CN101501670B (en) |
| WO (1) | WO2008013565A1 (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8578465B2 (en) | 2009-07-21 | 2013-11-05 | Cisco Technology, Inc. | Token-based control of permitted sub-sessions for online collaborative computing sessions |
| US9015481B2 (en) * | 2011-02-22 | 2015-04-21 | Honeywell International Inc. | Methods and systems for access security for dataloading |
| US9479353B2 (en) * | 2011-10-13 | 2016-10-25 | Cisco Technology, Inc. | Selective reestablishment of cable modem internet protocol connectivity |
| EP2940926B1 (en) * | 2014-04-28 | 2017-01-25 | Siemens Aktiengesellschaft | Method for configuring a communication device within an industrial automation system and distribution unit for a configuration server of an industrial communication network |
| WO2015196441A1 (en) * | 2014-06-27 | 2015-12-30 | 华为技术有限公司 | Configuration file acquisition method, apparatus and system |
| CN105721397A (en) * | 2014-12-04 | 2016-06-29 | 华为技术有限公司 | CM registration method and device |
| US10805291B2 (en) * | 2015-09-11 | 2020-10-13 | Comcast Cable Communications, Llc | Embedded authentication in a service provider network |
| US10432457B2 (en) * | 2016-05-20 | 2019-10-01 | Arista Networks, Inc. | Method and system for performing a read-modify-write operation on a network element |
| CN106656699A (en) * | 2017-01-11 | 2017-05-10 | 鼎点视讯科技有限公司 | Access method and device for communication terminal |
| TWI668971B (en) * | 2018-02-12 | 2019-08-11 | 和碩聯合科技股份有限公司 | A modem device and a method for verifying data |
| CN113692311A (en) | 2018-12-20 | 2021-11-23 | 哈文技术解决方案有限公司 | Apparatus and method for gas-liquid separation of multiphase fluids |
| US10478753B1 (en) | 2018-12-20 | 2019-11-19 | CH International Equipment Ltd. | Apparatus and method for treatment of hydraulic fracturing fluid during hydraulic fracturing |
| US11870768B1 (en) | 2020-04-10 | 2024-01-09 | Cisco Technology, Inc. | Certificate-based techniques to securely onboard a radio interface unit |
| CN114338547A (en) * | 2020-09-30 | 2022-04-12 | 艾锐势企业有限责任公司 | Electronic device, method, and storage medium for enhancing uplink transmission performance |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6028933A (en) * | 1997-04-17 | 2000-02-22 | Lucent Technologies Inc. | Encrypting method and apparatus enabling multiple access for multiple services and multiple transmission modes over a broadband communication network |
| US6070246A (en) * | 1998-02-04 | 2000-05-30 | 3Com Corporation | Method and system for secure cable modem initialization |
| US6170061B1 (en) * | 1998-02-04 | 2001-01-02 | 3Com Corporation | Method and system for secure cable modem registration |
Family Cites Families (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5918019A (en) | 1996-07-29 | 1999-06-29 | Cisco Technology, Inc. | Virtual dial-up protocol for network communication |
| US6137793A (en) | 1997-12-05 | 2000-10-24 | Com21, Inc. | Reverse path multiplexer for use in high speed data transmissions |
| US6049826A (en) * | 1998-02-04 | 2000-04-11 | 3Com Corporation | Method and system for cable modem initialization using dynamic servers |
| US6058421A (en) * | 1998-02-04 | 2000-05-02 | 3Com Corporation | Method and system for addressing network host interfaces from a cable modem using DHCP |
| US6189102B1 (en) | 1998-05-27 | 2001-02-13 | 3Com Corporation | Method for authentication of network devices in a data-over cable system |
| US6986157B1 (en) * | 1998-12-21 | 2006-01-10 | 3Com Corporation | Method and system for dynamic service registration in a data-over-cable system |
| US7099338B1 (en) * | 1999-02-27 | 2006-08-29 | 3Com Corporation | System and method for insuring dynamic host configuration protocol operation by a host connected to a data network |
| US6434141B1 (en) | 1999-05-26 | 2002-08-13 | Bigband Networks, Inc. | Communication management system and method |
| US6819682B1 (en) | 1999-09-03 | 2004-11-16 | Broadcom Corporation | System and method for the synchronization and distribution of telephony timing information in a cable modem network |
| US7065779B1 (en) | 1999-10-13 | 2006-06-20 | Cisco Technology, Inc. | Technique for synchronizing multiple access controllers at the head end of an access network |
| US7149223B2 (en) | 2000-03-06 | 2006-12-12 | Juniper Networks, Inc. | Enhanced fiber nodes with CMTS capability |
| US7274679B2 (en) | 2000-06-22 | 2007-09-25 | Mati Amit | Scalable virtual channel |
| KR100672400B1 (en) | 2000-11-20 | 2007-01-23 | 엘지전자 주식회사 | Apparatus and method for configuration file downloading in cable modem |
| US7110398B2 (en) | 2001-01-12 | 2006-09-19 | Broadcom Corporation | Packet tag for support of remote network function/packet classification |
| EP1356653B1 (en) | 2001-01-24 | 2011-07-20 | Broadcom Corporation | Method for processing multiple security policies applied to a data packet structure |
| US6952428B1 (en) * | 2001-01-26 | 2005-10-04 | 3Com Corporation | System and method for a specialized dynamic host configuration protocol proxy in a data-over-cable network |
| US20020133618A1 (en) | 2001-03-14 | 2002-09-19 | Desai Bhavesh N. | Tunneling system for a cable data service |
| US6993050B2 (en) | 2001-03-14 | 2006-01-31 | At&T Corp. | Transmit and receive system for cable data service |
| US7139923B1 (en) | 2001-06-27 | 2006-11-21 | Cisco Technology, Inc. | Technique for synchronizing network devices in an access data network |
| US7639617B2 (en) | 2001-06-27 | 2009-12-29 | Cisco Technology, Inc. | Upstream physical interface for modular cable modem termination system |
| US7782898B2 (en) | 2003-02-04 | 2010-08-24 | Cisco Technology, Inc. | Wideband cable system |
| US7023871B2 (en) | 2003-05-28 | 2006-04-04 | Terayon Communication Systems, Inc. | Wideband DOCSIS on catv systems using port-trunking |
| US7293282B2 (en) * | 2003-07-03 | 2007-11-06 | Time Warner Cable, Inc. | Method to block unauthorized access to TFTP server configuration files |
| US8149833B2 (en) | 2004-05-25 | 2012-04-03 | Cisco Technology, Inc. | Wideband cable downstream protocol |
| US7817553B2 (en) * | 2004-05-25 | 2010-10-19 | Cisco Technology, Inc. | Local area network services in a cable modem network |
| US7539208B2 (en) | 2004-05-25 | 2009-05-26 | Cisco Technology, Inc. | Timing system for modular cable modem termination system |
| US7532627B2 (en) | 2004-05-25 | 2009-05-12 | Cisco Technology, Inc. | Wideband upstream protocol |
| US20070011735A1 (en) * | 2005-07-06 | 2007-01-11 | Cable Television Laboratories, Inc. | Open standard conditional access system |
-
2006
- 2006-07-27 US US11/460,570 patent/US8255682B2/en active Active
- 2006-10-25 WO PCT/US2006/060233 patent/WO2008013565A1/en active Application Filing
- 2006-10-25 CN CN2006800554928A patent/CN101501670B/en active Active
- 2006-10-25 EP EP06846150.8A patent/EP2052327B1/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6028933A (en) * | 1997-04-17 | 2000-02-22 | Lucent Technologies Inc. | Encrypting method and apparatus enabling multiple access for multiple services and multiple transmission modes over a broadband communication network |
| US6070246A (en) * | 1998-02-04 | 2000-05-30 | 3Com Corporation | Method and system for secure cable modem initialization |
| US6170061B1 (en) * | 1998-02-04 | 2001-01-02 | 3Com Corporation | Method and system for secure cable modem registration |
Also Published As
| Publication number | Publication date |
|---|---|
| EP2052327A1 (en) | 2009-04-29 |
| EP2052327B1 (en) | 2017-08-23 |
| CN101501670A (en) | 2009-08-05 |
| US20080028437A1 (en) | 2008-01-31 |
| US8255682B2 (en) | 2012-08-28 |
| EP2052327A4 (en) | 2014-06-25 |
| WO2008013565A1 (en) | 2008-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101501670B (en) | Early authentication in cable modem initialization | |
| KR100494558B1 (en) | The method and system for performing authentification to obtain access to public wireless LAN | |
| US20100122338A1 (en) | Network system, dhcp server device, and dhcp client device | |
| KR101044210B1 (en) | Certificate based authentication authorization accounting scheme for loose coupling interworking | |
| US7188245B2 (en) | Contents transmission/reception scheme with function for limiting recipients | |
| CN106851632B (en) | A kind of method and device of smart machine access WLAN | |
| CN102884819B (en) | System and method for WLAN roaming traffic authentication | |
| CN107409307A (en) | Wireless house access network automatically configures | |
| US20070276943A1 (en) | Prevention of Cloning Attacks in a DOCSIS Network | |
| CN101888389B (en) | Method and system for realizing uniform authentication of ICP union | |
| CN101395852B (en) | Method and system for implementing configuration management of devices in network | |
| CN103874069B (en) | A kind of wireless terminal MAC authentication devices and method | |
| CN100499672C (en) | Method for distributing service based on terminal physical position | |
| CN103222292A (en) | Dynamic account creation with secured hotspot network | |
| US8260941B2 (en) | System and method for detecting and reporting cable modems with duplicate media access control addresses | |
| CN104581875B (en) | Femto cell cut-in method and system | |
| CN101252587B (en) | User terminal access right identifying method and apparatus | |
| CN103812836A (en) | System and method for website to send user reserved information | |
| US20120047583A1 (en) | Cable fraud detection system | |
| CA2559645A1 (en) | Open wireless access point detection and identification in a data network | |
| CN106559785A (en) | Authentication method, equipment and system and access device and terminal | |
| CN102546429B (en) | The authentication method of Intra-site Automatic Tunnel Addressing Protocol based on DHCP monitoring and system | |
| CN102185840A (en) | Authentication method, authentication equipment and authentication system | |
| CN101436969B (en) | Network access method, apparatus and system | |
| CN102130976B (en) | Method and system for accessing soft switch network at terminal as well as terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |